This section explains how to use Time-Based One-Time Password (TOTP) as a second authentication factor with Access Manager. TOTP uses a six-digit number (OTP) in addition to first authentication (for example, username, password) to log in to protected services.
The first step is to register the TOTP client with the secret key. This secret key is used for all future log in to the website.
Typically, users download and install the TOTP app on their devices. To log in to a website or service that uses two-factor authentication, in addition to the user name and password, users enter an OTP generated by the TOTP app. Access Manager validates the OTP and authenticates the user.
Two-factor authentication, such as TOTP, provides additional security for the systems. It works on the principle of granting access based on a knowledge factor (something the user knows) and a possession factor (something the user owns). This helps organizations to implement a multi-factor authentication scheme to satisfy regulatory requirements or increase security.
Download and install the TOTP app on your device. This app generates an OTP that is later used for authentication.
TOTP relies on the device time to generate an OTP. So, it is important that the time on your device is accurate.
Log in to Administration Console.
Click Devices > Identity Servers > Edit > Local > Classes > New.
Specify a name to identify the class.
Select TOTPClass from Java Class. The Java class path is displayed as com.novell.nidp.authentication.local.TOTPAuthenticationClass.
Click Next. By default, the TOTP class stores the secret key in the Shared Secret store and no further configuration is required.
[Optional] Click New to store the secret key in an LDAP attribute, file, or memory.
NOTE:File and Memory class implementations are not recommended for production deployment and are suitable only for a single node Identity Server test environment.
LDAP user attribute: This option stores the secret key on an LDAP attribute of the user object in the user store.
Add a new property to indicate that the secret key must be stored in an LDAP attribute of the user object in the user store.
Specify the Property Name as SECRET_STORE_CLASS and Property Value as USERSTORE.
Click OK.
Add another property to indicate the attribute in which the secret key must be stored.
Specify the Property Name as SECRET_LDAP_ATTRIBUTE_NAME and specify the name of any single-valued attribute. For example, you can specify the Property Value as mobile, costcentre etc.
The secret key is encrypted and stored in the LDAP attribute. If you do not specify any Property Value, the secret key is stored in the carLicense LDAP attribute.
NOTE:Do not use a multi-valued LDAP attribute like email address in Property Value as the user registration will fail. Ensure that the LDAP attribute you have specified as the Property Value is a non-operational attribute. It is not recommended to use LDAP Attributes such as groupmembership.
File class: The File class writes the secret key to a file on Identity Server file system. Add a new property to have the user's secret key stored in a file on the file system.
Specify the Property Name as SECRET_STORE_CLASS and Property Value as FILE.
Memory class: A memory-based class writes the secret key into memory. This memory is transient in nature and therefore the secret key value is lost each time Identity Server is restarted. Add a new property to define the memory-based property where each user’s secret key is stored. Specify the Property Name as SECRET_STORE_CLASS and Property Value as MEMORY.
Click Finish.
Click Devices > Identity Servers > Edit > Local > Methods.
Click New to add a new method.
Specify a name to identify the method. Select the TOTP class from the list. This links the TOTP class to the authentication method.
Deselect the Identifies User option. Click Apply to save the changes.
Select the user store from the list of Available user stores and move it to User store.
You can use an existing authentication contract or create a new authentication contract. For example, you can add the default Name/Password – Form method as the first method and TOTP method as the second method. Click Apply to save the changes.
NOTE:If you use TOTP as a post-authentication method in a federation setup, a JSP file not found message is displayed and federation fails.
Go to Access Manager Identity Server page http(s)://<idp server >:<port>/nidp
Select the contract where TOTP is configured as the second method for two-factor authentication.
Log in with the first method.
Click the link beside Please register for two factor authentication to generate a OTP. Make a note of the secret key displayed.
If you have installed the TOTP client on your device, scan the code. You can also manually enter the secret key in the TOTP mobile client.
After the registration is complete on the TOTP client on your mobile, the OTP is displayed.
Go to Access Manager Identity Server page: http(s)://<idp server >:<port>/nidp
Select the contract where TOTP is configured as the second method for two-factor authentication.
Log in with the first method.
After successfully authenticating with the username and password, prompt is displayed to enter the TOTP OTP.
Use the TOTP app to generate the OTP and log in by using this OTP.